LETTER FROM THE PRESIDENT

James D. Ratley, CFE

I bet your organization works extremely hard to find good employees. Weeks of intensive searching, vetting of qualifications and background checks hopefully yield hardworking, loyal colleagues. Of course, you know all that cultivation still can yield some rotten apples.

Ryan Duquette, CFE, CFCE, author of the latest Fraud Magazine cover article, "Insider threats! Using digital forensics to prevent intellectual property theft," quotes studies that show that half of all departing employees leave with confidential company information — either deliberately or unintentionally. That's sobering. How are your organizations deterring the fraudulent flow of intellectual property out the door?

Because most fraud examinations focus on establishing if, and how, someone did what they're suspected of doing, the author writes, they must learn fraudsters' common methods to remove sensitive information. These include the obvious means, such as personal webmail accounts, portable storage media and personal devices. But they also include accessing corporate systems via remote sessions and cloud storage.

Duquette emphasizes that fraud examiners should be part of the everyday work routines to examine new and leaving employees. "Your input and expertise is vital because you might see different patterns and suggest other methods, which could help examine broader fraud matters in your organization,” he writes.

Fraud examiners can use their skills at observing behaviors to help their organizations, he explains, such as looking for those who take proprietary information home via thumb drives or email without authorization, and inappropriately seek or obtain proprietary or classified information on subjects not related to their work duties.

Duquette also says we can help by looking for those who disregard the organization's computer policies on installing personal software or hardware, access restricted websites, conduct unauthorized searches or download confidential information.

As always, we have to review local, regional and national privacy laws and regulations on examining employees, which seem to change daily around the world.

"If the employee’s role grants them privileged access to highly confidential data such as payment card numbers, personally identifiable information or financial information, there's a risk that your activities might result in compliance issues," Duquette writes. "For example, you might locate payment card and transactional data and duplicate it to present as evidence. That action, while well intended, might be in a contravention of a policy or control that you've agreed to adhere to because you're moving the data outside of a controlled environment."

As Duquette implores, don't let departing employees leave with valuable intellectual property. Use digital forensics in daily workflows before they resign and in exit interviews to prevent IP theft rather than potentially be involved in litigation after they're gone.

ONLINE EXCLUSIVE

Nikola Blagojevic, CFE, CISA

In the past decade, public- and private-sector organizations have greatly increased their use of smartphones for their employees — they're now ubiquitous. Upside: simple and quick communication. Downside: Smartphones are easily lost, stolen and susceptible to cyberattacks because of their technological vulnerabilities. According to the CNBC article, Biggest cybersecurity threats in 2016, by Harriet Taylor, Dec. 28, 2015, "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."

Poor configuration of particular smartphone parameters can also lead to security breaches. An attacker can initially target a smartphone that contains little or no classified data but then use it as a steppingstone to build a more complex attack to obtain access to sensitive applications or confidential data. For example, a hacker can use various seemingly unimportant pieces of data to social engineer victims to gain more information that could enable him to stage a successful attack.

So while it's crucial that CFEs are aware that mobile devices — smartphones and tablets — bring fraud risks to organizations, it's also critical that they know the risks of using their own mobile devices in professional settings.

Diallerware attacks: an attacker steals money from the user by means of malware that makes hidden use of premium short message services or numbers.

Financial malware attacks.

Network congestion.

We can use these risks (listed from high to lower risk) along side the ISO 27002 standard to review professional use of smartphones within organizations. Internal auditors might not have the technical expertise, so you could hire external experts with specific skills to perform the proper tests. External experts also provide necessary independence for testing organizations' security measures.

Here are various measures that can help reduce the risks associated with mobile devices:

Encrypt mobile devices.

Regularly update mobile devices' applications and operating systems.

Set strong passwords. Each personal identification number (PIN) should be at least eight digits long because a four-digit PIN can be easily broken. Alphanumeric passwords should be at least eight characters long and shouldn't use common names or words. An easy way to help create a memorable password is to use a favorite sentence. For example, you can create a password from "The ACFE is reducing business fraud worldwide and inspiring public confidence." Use the first letters of each word and replace "a" and "i" with "@" and "1," respectively. Following this method, the password would be: "t@1rbfw@1pc."

CFEs should safeguard security for their professional smartphones and those in their organizations because they're often laden with confidential company information. (Of course, CFEs shouldn't forget that paper data can be equally confidential and necessitate adequate security measures, but that's for another article.)

GUEST BLOGGER

When it comes to looking for ways to improve fraud detection and prevention efforts, sometimes it is best to get back to basics. By basics, I mean the very basics – shapes and colors.

Criminologist Dr. Donald R. Cressey developed the Fraud Triangle to help examiners understand what leads individuals to commit fraud. Many people refer to the signs that indicate an individual is facing pressure, sees an opportunity or is beginning to rationalize behaviors as red flags. The key becomes identifying the red flags that indicate the legs of the Fraud Triangle are coming together, thus increasing the risk for a potential fraud.

The August issue of the Journal of Accountancy includes an article that examines the inner-workings of an $8 million dollar fraud. In the article, there are repeated examples of pressures (debt, a new baby, gambling, divorce), opportunities (approval access, password knowledge) and rationalization (paying off existing debt). After reading the fraudster’s part of the article it is clear that the Fraud Triangle was complete and, though they went unnoticed, there were multiple red flags. The latter half of the article, written by Dr. Mark Nigrini (author of Forensic Analytics and Benford’s Law), explains the controls and methods organizations should consider to help mitigate the risk of the fraud scheme perpetrated.

This article emphasizes three important uses of data for fraud investigators:

Fraud Triangle analytics – While this fraud took place back in the early 2000s, today the widespread use of email, social media and instant messaging provides a large volume of data for analysis. Analyzing these communications, as well as the related geo-tagging data, may help an investigator identify pressures, opportunities and rationalizations.

Control testing – One of the keys to this fraud scheme’s success was the ability of the fraudster to log in to the system under another individual’s credentials. In fact, there are multiple users’ credentials the fraudster described using during the scheme. Analyzing the access logs of various users with check request and approval authority is beneficial for both deterrence and detection. For example, most employees work off a single computer. Users that log in through multiple terminals may be indicative of a control issue.

Payroll trends – The fraudster in the article stated his subordinate had to have the day off in order for the fraud to work. This provided the access needed to take the fraudulent checks. An analysis of the payroll detail, in this situation, would likely have shown an unusual pattern in vacation time for the subordinate. Typically used for vendor activity, trend analysis is also beneficial in analyzing payroll activity (or any activity with an expected pattern over time).

As technology changes, so too must our investigation methods. In 2004, when this fraud took place, it may not have been possible to use data for the three types of tests described above. Ten years later these are just a small subset of the ways fraud investigators use data. However, it all comes back to the basics of shapes and colors. Investigators use data to find the red flags indicating the legs of the Fraud Triangle are all in place.

Guest Blogger

Recently the digital currency, Bitcoin, has exploded into the news. Much of the news coverage has been decidedly negative. A number of events occurred that have instilled in the public’s mind a vaguely negative impression about Bitcoin, to those at least, who have actually ever heard of Bitcoin.

In October 2013, the FBI arrested Ross Ulbricht, a.k.a. “Dred Pirate Roberts,” who is alleged to have been the mastermind behind Silk Road, a website devoted to selling illegal drugs and other illicit items and services. The sole medium of exchange on Silk Road: Bitcoin. Then in January 2014, Charlie Shrem, a well-known member of the Bitcoin community and the CEO of BitInstant, one of the most well-known and largest bitcoin exchanges at the time, was arrested on money laundering charges. Later, in early 2014, Mt. Gox, the Tokyo-based digital currency exchange collapsed and the ensuing loss of millions of dollars-worth of customer’s bitcoins spread through the news like wildfire. Taken together, these events have caused many anti-fraud professionals working in law enforcement, regulatory agencies, compliance departments, as well as other institutions where digital currencies could conceivably be an issue, to eye Bitcoin and other alternative currencies with a healthy dose of skepticism.

Also, these events have hurt the relative strength of Bitcoin in relation to the dollar. The Bitcoin to dollar exchange rate reached a high of over $1,000 on some exchanges on November 27, 2013; however, the rate dropped to a low of $421.91 on April 7, 2014, and continues to fluctuate, further fueling skepticism about Bitcoin’s long-term viability.

In spite of the negative news, Bitcoin continues to gain support commercially among merchants and retailers. The Sacramento Kings of the National Basketball Association, the Chicago Sun-Times and Overstock.com, among others, now accept bitcoins as a method of payment. In addition, thousands of small businesses scattered across the U.S. with notable concentrations in San Francisco and New York, also are accepting bitcoins.

Because Bitcoin is a disruptive technology, there were no real applicable regulatory or enforcement mechanisms in place when Bitcoin came into existence in 2009. The nature of the Bitcoin protocol is such that regulations already in existence, in most cases, could not be easily adapted to the Bitcoin protocol. The exchange, transmission, trade, securitization and commoditization of bitcoins all have regulatory implications. Regulators are rightly concerned about such issues as consumer protection, anti-money laundering/countering the financing of terrorism, fraud prevention and more. However, because of Bitcoin’s disruptive nature, the application of existing regulations often place Bitcoin into a regulatory grey area.

For anti-fraud professionals whose work might involve digital currencies, it is important to reach out and coordinate efforts with other professionals, whether they are employed in law enforcement, regulatory agencies, or compliance departments. Digital currencies are here to stay, and a proactive approach will go a long way in successfully facing difficult issues related to digital currencies likely to arise in the future.

A key salesman left a manufacturing company, purportedly to work in sales in another industry. Under normal circumstances a company would be disappointed to lose a key salesman. However, in this instance, while productive, the salesman was a troublemaker and a constant source of negativity. Shortly after this salesman left the president and CEO of the company received a call from one of his top customers. The customer had just received a call from the company’s No. 1 competitor; this competitor was able to tell the customer the details of his latest order with the president’s company. The president and customer alike were concerned about how confidential company information was available to a competitor. After much reassurance to the customer, the president was able to save the order.

The president then engaged our firm to perform digital forensics and get to the bottom of things. We imaged the hard drives of the sales department. Upon analysis of the former salesman’s computer we found that immediately prior to leaving, the salesman had saved the companies detailed customer list to a USB drive. We also found frequent emails to his personal email address (webmail account) that included attachments containing order histories for key customers. Additionally, we analyzed the email exchange server and found emails between the former salesman and current sales staff. The email address being used by the former salesman was with the competitor in question. While the emails were innocent chit chat it revealed that the former salesman had not been truthful about his new place of employment, a fact which violated a non-compete agreement. Investigation of the corporate phone system indicated frequent calls from the former salesman’s cell phone to the current sales staff. We found that the current sales staff was relaying information to the former salesman during these “innocent” calls catching up on their day to day activity.

Situations like this occur more frequently than business owners would like to think. So what are some of the key signs employers should look for to help identify the malicious insider?

Employees who have a grudge against the company or are constantly talking about changing jobs

Increased rule-breaking or misbehavior

Physical altercations

Breaking dress code

Suspicious behavior

Signs of extreme stress

In addition to paying attention to how your employees are behaving, you need to implement monitoring technology to pinpoint the following:

Increased or unusual patterns in network/workplace access

Log reports of attempted unauthorized access

Large data transfers during nonbusiness hours

Frequent emails to outsiders with attachments

Excessive file downloads

As always, educating employees about the importance of security is always the first step in protecting company information. Annual renewals of non-disclosure agreements and employee education are key to protecting your company from the malicious insider and creating a culture of security.